2 minutes
Hetzner Firewall
When running a server, it’s essential to have at least some basic security measures in place. One of the most effective ways to protect your server is by using a firewall.
Hetzner provides a built-in firewall at the network level, filtering traffic before it even reaches your dedicated server. This helps block unwanted connections and enhances security.
Since I run web, DNS, mail, and SSH services on my server, I have configured the following firewall rules
| Name | Source IP | Destination IP | Source port | Destination port | Protocol | TCP flags | Action | |
|---|---|---|---|---|---|---|---|---|
| #1 | SSH | 22 | tcp | accept | ||||
| #2 | DNS TCP | 53 | tcp | accept | ||||
| #3 | DNS UDP | 53 | udp | accept | ||||
| #4 | HTTP | 80 | tcp | accept | ||||
| #5 | HTTPS | 443 | tcp | accept | ||||
| #6 | SMTP | 25 | tcp | accept | ||||
| #7 | SMTP TLS | 587 | tcp | accept | ||||
| #8 | IMAP TLS | 993 | tcp | accept | ||||
| #9 | POP3 TLS | 995 | tcp | accept | ||||
| #10 | Out | 32768-65535 | tcp | ack | accept |
Important: Before applying these firewall rules, ensure that you can access your server via SSH. Otherwise, you risk locking yourself out!
Why the Last Rule Matters
The last rule (#10: Outbound) is crucial because it allows your server to access the internet for tasks such as software updates. Without this, your server may face connectivity issues when retrieving external resources.
Enabling the Firewall
Since Hetzner’s firewall has a default deny policy, we only need to allow legitimate traffic. Once you’ve verified your access and reviewed the rules, you can enable the firewall via Hetzner’s web interface. Changes take approximately 30 seconds to apply.
Hetzner Firewall Limitations
One thing to keep in mind is that Hetzner currently limits firewall configurations to 10 rules. This means you’ll run out of available slots quickly, so plan your rules carefully to fit within these constraints.